Jun 23, 2021 - by Matt Serlin
Security is top of mind for everyone now, but domain name professionals have their own unique blend of threats to defend against. None of the security concerns of the past 2 decades have gone away, and many new problems have surfaced.
Hackers, squatters, infringers and other bad actors are still thorns in the side of domain name professionals everywhere and they can dramatically interfere with companies and their customers alike. However, through careful planning, strategy and the use of technology, domain name professionals can effectively protect their company’s domains and brands.
Monitoring is the Key to Addressing Domain Name Abuse
Twenty years ago, in the early days of domains, many companies wanting to ward off abuse would probably have spared no expense in attempting to register every conceivable variation across every TLD to protect their brands online. This preemptive approach is simply no longer practical. Not only is it expensive, but it’s wildly ineffective because infringers and fraudsters can easily add a hyphen or additional character to domains to make them similar enough to the legitimate domain. Instead of trying to register every variation, companies should instead monitor domains for abuse and take immediate action when incidents occur.
Close Collaboration with IT Security Is Required
Up-to-date security technology can provide an ideal defense to protect corporate domain name portfolios. At many companies, the domain management team partners closely with the company’s information technology (IT) security team, but often IT security does not become involved until an incident occurs. Since it’s not reasonable to expect someone from the legal or marketing departments to establish and implement security best practices, they must collaborate closely with IT and network security.
The company’s IT/network security team can set standard security protocols. These can include Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting and Conformance (DMARC) and two-factor authentication for registrar access. Deploying these security tactics makes it much harder for phishers and other bad actors to formulate an attack because they must bypass many more hurdles to intrude.
Single Sign-On to Access Domain Management Accounts
Companies are well-advised to deploy single sign-on which synchronizes logins and ensures that users only have rights to data they are authorized to access. Fairly straightforward for IT to set up, single sign-on addresses many blind spots at the company around employees leaving or those trying to access data they should not have access to.
Registry Lock Thwarts Attackers
Registry lock, particularly for the most high-profile and critical domain names, is one of the most effective ways to block fraudsters from interfering with domains. Registry locks make domain names unavailable for automated updates. Domains can only be updated when a manual security protocol is completed between the registrant and the registrar. Then, a second protocol between the registrar and registry puts the name into a state where it can be updated. Registry lock is helpful both to thwart those with malicious intent and also to prevent accidental human errors from causing damage.
Without a safeguard like registry lock in place, companies risk having their domain go offline or redirected. Both of these scenarios can have costly and dangerous outcomes for the organization. Most corporate registrars provide registry locks for an annual fee.
The Antidote to DNS Cache Poisoning: DNSSEC
Man-in-the-middle DNS (Domain Name System) cache poisoning incidents have become more commonplace in recent years. These are attacks against DNS caching servers in which legitimate requests are redirected. When someone types in the correct domain name, their request gets redirected without permission because a caching server has been hacked.
DNS cache poisoning can be addressed by implementing DNSSEC (Domain Name System Security Extension) which adds digital signatures to a DNS and confirms authenticity of the source domain name. DNSSEC creates a chain of trust between the registrar, registry and the caching servers so they are only returning authoritative information. It effectively protects Internet users from forged DNS data, such as a misleading or malicious address instead of the legitimate address initially requested.
From a security standpoint, DNSSEC ensures that the caching servers are delivering authoritative information and protects against man-in-the-middle or cache poisoning attacks. For any business collecting credential information or transacting online commerce, implementing DNSSEC is highly recommended.
Setting a Domain Name Security Policy
Without a written domain name security policy, the organization is vulnerable. It’s critically important to establish a policy that defines who can register domains, what they can register, and when in the brand lifecycle to register. Large companies are often in a constant battle resulting from employees conducting unauthorized registrations on their own rather than going through the company’s official domain management process. Having policies in place and ensuring people are aware of the policy will help prevent rogue activity.
Policy can govern rules around expiration, how TLDs and variations should be requested, and can dictate the prescribed workflow around domains. Some companies use forms to standardize domain name applications, others use a dedicated email address. Either way, centralized management of domain names should exist; policy is key to this effort.
The security policy should also include a step-by-step process for responding to security incidents or breaches as they arise. This comes back to the relationship between IT security and other departments which must collaborate during a crisis situation. By forging strong partnerships with IT security, legal and also public relations contacts, domain name professionals can respond to security incidents based on an organized protocol rather than panicking and making reckless decisions.
Picking The Right Registrar
Not all registrars are equally capable of protecting domains from security threats. More sophisticated corporate registrars are capable of providing the technology solutions mentioned above and they are hardened against attacks. They can also restrict users by IP address, monitor for suspicious logins, ensure data contained within their databases matches data at the registry, and monitor for unauthorized domain name updates. Ideally, a company’s registrar follows security best practices, undergoes periodic penetration testing, and requires employees to attend social engineering training. When the registrar has the experience and resources to defend against security intrusions, and they treat clients as equal partners, their company is much more effective in guarding their clients’ domain assets.
To ensure security and mitigate risk is a crucial part of a domain name professional’s job. Staying vigilant through judicious use of human and technology resources is the best way to ward off problems like DNS cache poisoning, infringing, hacking and squatting. When a breach does occur, a well-thought-out policy guides them through what to do, and who does what and when to neutralize the incident’s effects. Choosing the right registrar can add another layer of protection. Equipped with the right resources, the organization’s domain name risks are mitigated and portfolios remain secure.
The information contained in this blog is provided for general informational purposes about domains. It is not specific advice tailored to your situation and should not be treated as such.
With a focus on security, service and support, Matt Serlin joined the company in 2017 to lead all domain operations, including client services and domain name provisioning. Matt has over 15 years of direct domain name experience most recently with MarkMonitor where he was instrumental in building the industry’s first dedicated client services team, which has become the de facto standard for all corporate registrars.
Recent posts from Matt Serlin